This policy memo calls for greater transparency in AI systems and proposes the use of Artificial Intelligence Bills of Materials (AIBOMs) to support supply chain assurance and resilience. We present two complementary practical courses of action for policymakers that can be adopted today to encourage AI vendors to better manage risk by providing visibility into the models, datasets, software, and services incorporated into their products and services. We also propose a path toward broader industry consensus and future standardization efforts.
Introduction
Artificial intelligence systems are rapidly becoming critical components of modern society, supporting applications ranging from healthcare and transportation to cybersecurity, critical infrastructure, scientific research, and national defense. The increasing dependence on AI systems across organizations, including almost every facet of the U.S. government, makes understanding the origins, dependencies, and supply chains of those systems an essential component of trust, resilience, and risk management.
Transparency and trust are fundamental building blocks of supply chain security. Supply chain security for advanced technology is vital to fostering resilience against cyberattacks, fraud, operational disruptions, and emerging risks. Identifying components and assets is the starting point for most cybersecurity programs. In the software ecosystem, this takes the form of the Software Bill of Materials (SBOM), “a formal record containing the details and supply chain relationships of the various components used in building the software.” Similar concerns about transparency and provenance in semiconductor supply chains have led to discussions around Hardware Bills of Materials (HBOMs). These concepts have increasingly been extended to AI systems through the idea of an Artificial Intelligence Bill of Materials (AIBOM), sometimes described as an “SBOM for AI.” In the past few years, discussions around AIBOMs have accelerated across cybersecurity communities, standards bodies, government agencies, and the supply chain solutions industry.
This policy memo argues that a future in which organizations can effectively manage AI supply chain risk will require AIBOMs. Widespread adoption of AIBOMs will require progress on both the demand side—the customers consuming AI products and services—and the supply side—the creators of those products and services. On the demand side, norms, contracts, procurement requirements, and regulation can create expectations that organizations developing and deploying AI systems should understand the components incorporated into those systems. On the supply side, guiding the development of tools, processes, and organizational practices that make AI transparency achievable at scale will require a consensus vision of the minimum elements of AIBOMs and standards.
